Inside InfoSec Law

The Right to be Forgotten and how European Law Could Affect Companies in the US

In the age of social media, pictures, social media posts, and other personally embarrassing and unsavory personal information may be enshrined in the internet. Efforts to remove personal information from the internet is often difficult, if not impossible, and can be met with considerable resistance from the holders of such data. It may not ever be possible to delete someone’s presence from the internet, but in the near future, it may become a little less difficult to have unwanted personal information removed.

The European Union is set to overhaul its privacy and data protection laws with the General Data Protection Regulation (GDPR), which goes into effect in May 25, 2018. New legislation in Britain, the Data Protection Bill, is currently being considered to align Britain’s data protection laws with the GDPR. Amongst the data and privacy protections in the GDPR and being proposed in the Data Protection Bill is a set of protections that would give consumers the “right to be forgotten.”

The right to be forgotten is a principle espoused by many privacy advocates. It is the ability to request deletion of specific personal information from a company that holds data. Many companies offer this kind of service. For example, most social media companies allow you to delete your information from the service. The right to be forgotten goes one step further and allows you to have removed from any company’s database all personal information that is irrelevant, inadequate, or excessive in relation to the purposes for which the data was collected, including publicly available information.

In a landmark 2014 court ruling in Europe, a Spanish man prevailed against Google in having two links removed from their search engine that appeared when his name was searched. These links related to his past financial history that, while accurate and public, the court felt was inadequate, irrelevant or excessive in relation to the purpose for which Google held the data. An important factor for the court was the age of the data, which was over 15 years old. In its ruling, the court stated that a request to have data removed based on the right to be forgotten should be assessed on a case by case basis, using a balancing test to weigh public interest in that information against the request for deletion.

In the time since the Google ruling, the right to be forgotten has been acknowledged under European law, and is enshrined in the EU’s General Data Protection Regulation (“GDPR”), set to go into effect in May of 2018. In the United Kingdom, the Data Protection Bill is set to be passed to conform with the GDPR, but includes even more protections, giving a person the right to have social media companies delete all posts from when a requesting user was under the age of 18.

Policy changes necessary for big companies that handle large volumes of data to comply with EU and UK law could affect the handling of data by companies in the US. The most obvious effect that the right to be forgotten could have is that policies and procedures adopted to comply with European law will be adopted across the board, making implementation easier in companies that operate both in Europe and the US. The biggest effects could come from a pending European court case that, again, features Google. This case could force companies to implement the right to be forgotten beyond the borders of Europe under certain circumstances. Specifically, France is demanding that Google implement requests under the right to be forgotten worldwide. That is, information deleted under the right must be deleted globally, not just in the territory where the request was made. France is concerned that, if information is not deleted globally, people will still be able to access the information, whether they are outside Europe or in Europe and faking their location. Google is resisting, arguing that complying with France’s demands would affect the right of freedom of expression in other countries, and could open the door to other countries demanding that information illegal under their laws be taken down globally by Google.

The right to be forgotten has picked up steam in Europe, and the implementation of this right could lead to big changes in the coming years. The perception of how people view the ownership of their personal data and how companies hold that data could be changing very soon.

Disclaimer: The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this web site or any of the e-mail links contained within the site do not create an attorney-client relationship between the author or Elkins PLC and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

About Post Author

Geoffrey engages in a broad-ranging practice including real estate development, federal and state tax credits, partnership, corporate and securities matters, information security plans and cyber-security, information privacy, privacy policies, privacy compliance, as well as representation of non-profit entities. He is a co-author of the book "The Architecture of Cybersecurity" and a member of the Elkins, PLC Cybersecurity & Privacy Protection team. Geoffrey also holds a Certified Information Privacy Professional (CIPP/US) designation from the International Association of Privacy Professionals.